-
-
Notifications
You must be signed in to change notification settings - Fork 17
/
disallowed-dangerous-calls.neon
68 lines (68 loc) · 2.11 KB
/
disallowed-dangerous-calls.neon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
parameters:
disallowedFunctionCalls:
-
function: 'apache_setenv()'
message: 'might overwrite existing variables'
-
function: 'dl()'
message: 'removed from most SAPIs, might load untrusted code'
-
function: 'eval()'
message: 'eval is evil, please write more code and do not use eval()'
-
function: 'create_function()'
message: 'the function is about as evil as using eval()'
errorTip: 'create_function() has been deprecated as of PHP 7.2, and removed as of PHP 8.0'
-
function: 'extract()'
message: 'do not use extract() and especially not on untrusted data'
-
function: 'posix_getpwuid()'
message: 'might reveal system user information'
-
function: 'posix_kill()'
message: 'do not send signals to processes from the script'
-
function: 'posix_mkfifo()'
message: 'do not create named pipes in the script'
-
function: 'posix_mknod()'
message: 'do not create special files in the script'
-
function: 'highlight_file()'
message: 'might reveal source code or config files'
-
function: 'show_source()'
message: 'might reveal source code or config files (alias of highlight_file())'
-
function: 'pfsockopen()'
message: 'use fsockopen() to create non-persistent socket connections'
-
function: 'print_r()'
message: 'use some logger instead'
allowParamsAnywhere:
2: true
-
function: 'proc_nice()'
message: 'changes the priority of the current process'
-
function: 'putenv()'
message: 'might overwrite existing variables'
-
function: 'socket_create_listen()'
message: 'do not accept new socket connections in the PHP script'
-
function: 'socket_listen()'
message: 'do not accept new socket connections in the PHP script'
-
function: 'var_dump()'
message: 'use some logger instead'
-
function: 'var_export()'
message: 'use some logger instead'
allowParamsAnywhere:
2: true
-
function: 'phpinfo()'
message: 'might reveal session id or other tokens in cookies'
errorTip: 'see https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it and use e.g. spaze/phpinfo instead'